package com.android.webserver.security;

import java.util.ArrayList;

import android.net.UrlQuerySanitizer;

import com.android.webserver.tornado.Request;

/**
 * @author Baptiste GOURDIN
 *
 */
public class URLScan
{
	ArrayList<String>			DenyUrlSequences;
	ArrayList<String>			DenyQueryStringSequences;

	private static String	URLWhiteList		= "^[a-zA-Z0-9./\\-_]+$";
	private static String	QueryWhiteList	= "^(&?[a-zA-Z0-9./\\-_+=,;:])*$";

// FIXME : URLScan configuration 
	
	/**
	 * Proceed a list of checks on the querry
	 * 1) URL Whitelisting (^[a-zA-Z0-9./\\-_]+$)
	 * 2) QueryWhitelisting (^(&?[a-zA-Z0-9./\\-_+=,;:])*$)
	 * @param request	HTTP request to validate
	 * @return	True if the request has been validated, false else.
	 */
	public static Boolean scanRequest(Request request)
	{
		if (!request.getFullPath().matches(URLWhiteList))
			return false;

		UrlQuerySanitizer uqs = new UrlQuerySanitizer();

		String query = uqs.unescape(request.getRequestQuery());

		if (!query.matches(QueryWhiteList))
			return false;

		return true;
	}
}
